Custom auth domain — sketch + park

2026-05-13 · 🅿️ sketched + parked — resume signal is client-facing, not aesthetic.

The thing

Cloudflare Zero Trust currently lands users at https://xlabs.cloudflareaccess.com/... when they hit a gated surface (devreports.dare.co.uk, audreyinc-beta, audrey-dashboard, etc.). For solo internal use that URL is fine. For anything client-facing, it reads as:

Generic CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF-provider branding, not yours
“Is this a phishing site?” pause moment for first-time visitors
Wrong-domain credibility hit during what should be a confident login

The fix is a custom auth domain — auth.<something> — that takes over the login surface. End user sees a redirect through your brand. CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF Access still does the work behind it.

Architecture

                     ┌──────────────────────────────────┐
  Client hits gated  │  https://<gated-surface>         │
  surface            │  (devreports / dashboards /      │
                     │   client-specific portals)       │
                     └─────────────────┬────────────────┘
                                       │ unauthenticated
                                       ▼
                     ┌──────────────────────────────────┐
                     │  CF Access redirect to:          │
                     │  https://auth.<your-domain>/     │
                     │      cdn-cgi/access/...          │
                     │  (instead of                     │
                     │   xlabs.cloudflareaccess.com)    │
                     └─────────────────┬────────────────┘
                                       │
                                       ▼
                     ┌──────────────────────────────────┐
                     │  One-Time-PIN challenge          │
                     └─────────────────┬────────────────┘
                                       │ ✓ authenticated
                                       ▼
                     ┌──────────────────────────────────┐
                     │  Back to gated surface           │
                     └──────────────────────────────────┘

Single auth domain serves the whole portfolio. Clients on any gated surface (dare, audrey, dogwood, future client engagements) authenticate through one canonical URL.

Hostname candidates

Per the short-URL preference, brevity is weighted; per the client-facing-trust trigger, the URL must read as legitimate to outside eyes.

Hostname	Length	Trust signal	Trade-off
`auth.gf.cx`	10 chars ✓ shortest	✗ Reads cryptic/personal to unfamiliar clients — “what is gf.cx?”	Wins on brevity, loses on client-facing trust
`auth.xlabs.digital`	18 chars	✓ “digital” TLD reads as intentional-tech; xlabs = canonical infra org; professional-sounding	Slight length penalty vs. dare option
`auth.dare.co.uk`	16 chars	✓ Brand-recognized UK domain, established credibility	“dare” doesn’t immediately telegraph “auth surface” but the recognizable parent compensates

Senior recommendation: `auth.xlabs.digital`

Three reasons:

xlabs matches the canonical infra org name (xlab-co). Auth surface is infrastructure, not brand-customer-facing — it belongs under the infra umbrella, not under any one brand’s parent domain.
.digital TLD reads as a deliberate technical choice. Modern, decisive, agency-friendly. Reads “we know what we’re doing” to a client seeing it for the first time.
Decouples auth from the dare.co.uk personal brand. As xlabs ↔ client work grows (per the agency-tenant IAM model parked earlier), having auth on a neutral infra domain stops “why is my auth on a stranger’s personal site?” friction.

Trade-off vs. auth.gf.cx: the 8-character length penalty is the cost of client-facing trust. Acceptable.

Trade-off vs. auth.dare.co.uk: parity on length, win on neutral-infra positioning, mild lift in technical-credibility reading.

When `auth.gf.cx` would win instead

If the resume signal stays strictly internal — i.e., you never hand a gated URL to a client, contractor, advisor, or external collaborator — auth.gf.cx is correct. The brevity preference wins when client-facing trust isn’t on the line.

Setup (when un-parked)

Step	Action
1	Confirm hostname choice (recommend `auth.xlabs.digital` pending Dan’s call)
2	one.dash.cloudflare.com → Settings → Custom Pages → Custom Authentication URL → enter chosen hostname
3	CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF returns a CNAME target
4	In the chosen domain’s DNS, add CNAME `auth → <target>`, DNS-only (grey cloud) — CDN, security layer, and DNS provider sitting in front of dare.co.uk.">CF Access handles SSL
5	Cert auto-provisions (~5 min)
6	Verify by visiting any existing gated app — redirect now lands on the new domain

All gated surfaces (current + future) automatically use the new domain. Zero per-app reconfig.

Why one auth domain across the portfolio

	Per-brand auth domain	Single neutral auth domain
`auth.audreyinc.com` for audrey clients	Confusing if same client accesses dogwood-gated surface — two logins for one identity	—
`auth.dogwood.house` for dogwood	Brand-tied; doesn’t scale to client engagements	—
`auth.xlabs.digital` (or `auth.dare.co.uk`)	—	Single login flow regardless of which brand’s surface; matches `xlab-co` umbrella discipline

Auth surface is operational infrastructure, not customer brand experience. The customer brand lives on audreyinc.com (the storefront) or dogwood.house (the booking site) — public, marketing-led. The authenticated layer is back-of-house; centralised infra naming wins there.

Resume signals — concrete

Trigger	What it looks like
First client engagement that needs Access-gated visibility	E.g., a client gets a private dev-reports view, or a custom dashboard during a project — they’ll see the auth URL during login and “what’s xlabs.cloudflareaccess.com?” lands in your inbox
Sharing a gated screenshot with anyone outside Dan	Even an advisor or non-technical collaborator — the URL telegraphs unpolished infra
Building a portfolio sales surface	An “agency playbook” page that shows screenshots of client work would benefit from clean auth-flow imagery
Onboarding a contractor to gated tooling	Teaching them “the random cloudflareaccess.com URL is legit, I promise” is friction

The interim signal — Option 2 team rename (xlabs → dare or xlab on xlabs.cloudflareaccess.com) — is the cheap version. Worth doing whenever it bothers you; doesn’t block the custom-domain decision.

Cost

$0. Free Cloudflare feature.

What this does NOT do

Doesn’t add identity providers (still One-Time-PIN by default; SSO/Google/GitHub IdP is a separate Zero Trust config)
Doesn’t change Access app policies (still per-app, gated by groups)
Doesn’t expose the auth flow to crawlers (it’s still a redirect target, not a public page)

Counter-pattern

Don’t build this before a client engagement actually wants it. The current xlabs.cloudflareaccess.com URL is fine for solo internal use. Premature custom-domain work is the exact “polish dressed up as infrastructure” anti-pattern the 80/20 strategic-peer frame catches.

Pattern connections

feedback_park_with_resume_conditions — sketched-and-parked is the deliverable
feedback_short_url_preference — hostname brevity weighting that informed the candidate comparison
feedback_principle_of_least_privilege — single auth domain = single attack surface, not three brand-flavored ones
feedback_just_in_time_permission_grants — same temporal logic: build when a workflow demands it, not before
reference_gcp_cli_and_agency_iam — when client folders/projects come online, this pattern slots into the agency runbook naturally
xlab_studio_rename_sweep_2026-05-13 — sibling sketch with the same closing-aphorism shape (“discovery before action is the discipline; the rename itself takes 5 minutes once the sweep is done”); different domain, same load-bearing structure of invisible-work-vs-visible-work

Trust-signal infrastructure. Cheap when triggered, premature when not.

Source: auth_custom_domain_sketch_2026-05-13.md · Rendered 2026-05-13 16:14